Please enhance NetworkManager such that DNSSEC validation is done whenever possible
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dnsmasq (Ubuntu) |
Invalid
|
Wishlist
|
Unassigned | ||
network-manager (Ubuntu) |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
Network Manager in Precise uses a local forwarding DNS server (dnsmasq). This does not perform DNSSEC validation, although it is configured to proxy the DNSSEC validation result from the upstream server, for which the manpage mentions the following caveat:
"You should only do this if you trust all the configured upstream nameservers and the network between you and them."
Since not all networks or upstream DNS servers are trustworthy, the safest place to perform DNSSEC validation is on the client. Using a local DNS server which cannot validate is a missed opportunity; by replacing dnsmasq with a more-capable DNS server (e.g. Unbound) security against DNS poisoning and MITM attacks could be improved.
visibility: | private → public |
Changed in dnsmasq (Ubuntu): | |
status: | Triaged → Invalid |
summary: |
- Validate DNSSEC by default + Please enhance NetworkManager such that DNSSEC validation is done + whenever possible |
This wouldn't really be different that=n using libc for resolving, so I don't think it really qualifies as a security issue.
You can still perform DNSSEC validation, which is the actual difference from if DNSSEC proxying wasn't supported by dnsmasq. Granted, it doesn't automatically do the validation itself, but neither do most programs (or libc).
Should you want to have DNSSEC validation on your system for now, you might want to install the DNSSEC Validator plugin for Firefox.
It definitely should be done, but this will depend on work upstream or by developers. In other words, patches welcome, for fixing dnsmasq itself.
We may look into adding support for unbound as a resolver in NM; to be determined.